Hi, I'm trying to split a large PCAP by limiting each output file to 5 million packets using the EditCap CLI. I use command "editcap -c 5000000 inputFilePath outputFilePath" and some sort of split occurs. But when I tshark the resulting files, they each seem to start at index 1 in the first column, and at time 0 in the 2nd column. Is there a way to maintain the original values for either of these first two columns? Need the time to be maintained at least constant from the original file.
asked 16 Oct '17, 18:37
The index is the index into that particular file, so no, that will always start at 1.
The time is the time from the previous packet in that particular file, so no, that will always start at 0
As you remark that the 'time to be maintained at least constant from the original file' I assume you mean that you want to keep the original wall clock timestamps. That in fact is happening, you would have to select the timestamp output to print the wall clock time instead of time since previous packet.
answered 16 Oct '17, 23:16